Sodinokibi ransomware appears to be guilty of Travelex attack

A closer view to the December 31st Travelex malware attack

The criminals who distributed Sodinokibi urged for a $3M ransom price from Travelex

Since the malware that managed to breach Travelex's network has not been discovered yet, researchers could not provide much information on the incident.^[1] However, cybersecurity experts have finally identified that Sodinokibi is responsible for attacking the London-based cryptocurrency exchange firm.^[2]

This incident brought a lot of monetary losses for Travelex as, due to infected services, the company had to shut down all of its computer systems and the customers were left with no ability to make payments via 1200 stores that are owned by this company worldwide.^[3]

The demanded ransom price came up to $3 million

Sodinokibi developers decided to be a bit greedy and urged for $3 million in exchange for the decryption tool for locked files and documents.^[4] However, the hackers decided to steal personal information, including birth dates, SSNs, credential information, and other data that formed a 5 GB load.^[5] The company was threatened later that these details will be exposed if Travelex is not going to agree to make the payment during seven days after the attack.^[6]

According to security specialists, the criminals investigated the entire system and made themselves sure that there is valuable data that they can target before taking any actions. Afterward, the files were encrypted by using a unique encryption key and each filename ended up with a random five-character extension. The ransom note states that the criminals have developed the most advanced encryption technology that is available nowadays and promises that the decryption tool will surely be received after the payment is processed.

However, you can never be sure if the hackers will not appear to be scammers and just run off with your money and we are talking about $3 million here! After paying the demanded amount, it is impossible that you will be able to get your money back as such criminals urge for Bitcoin transfers that allow the process to remain anonymous and untrackable.

Unsecured Travelex services might have done a big part in the infection process

Even though it is not clear how the infiltration and infection processes happened, Travelex is known to have been running services that were not properly secured and could have resulted in the breach of the firm's networks and services.

Travelex employs the Pulse Secure VPN for ensuring secure contact. However, this VPN has already been noticed in a serious flaw patch that occurred last year. The CVE-2019-11510 vulnerability allowed random people to perform remote connections on the network and shut down the multi-factor authentication^[7] function, spy on view logs and stored passwords.

A cybersecurity researcher named Troy Mursch discovered back then that around 15 000 systems were at risk of getting exposed by this vulnerability and Travelex was also included in that list. Even though the company got informed about this fact, no response was received. The Pulse Secure company states that the patch for the before-mentioned problem has already been available since April 24, 2019 and all the customers were already informed about the fix process via email and notifications.

Nevertheless, there was another investigation that revealed Travelex holding Windows servers on its Amazon cloud platform that did not include the Network Level Authentication future and was exposed to the entire web. This could have led to a random hacker connecting to the server without any required authentication.